Custom rule testing order

When you build custom rules, you must optimize the order of the testing to ensure that the rules do not impact custom rules engine (CRE) performance.

The tests in a rule are executed in the order that they are displayed in the user interface. The most memory intensive tests for the CRE are the payload and regular expression searches. To ensure that these tests run against a smaller subset of data and execute faster, you must first include one of the following tests:

• when the event(s) were detected by one or more of these log source types
• when the event QID is one of the following QIDs
• when the source IP is one of the following IP addresses
• when the destination IP is one of the following IP addresses
• when the local IP is one of the following IP addresses
• when the remote IP is one of the following IP addresses
• when either the source or destination IP is one of the following IP addresses
• when the event(s) were detected by one of more of these log sources

You can further optimize QRadar® by exporting common tests to building blocks. Building blocks execute per event as opposed to multiple times if tests are individually included in a rule.

For more information about optimizing custom rules, see the IBM® QRadar User Guide.